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45 MAY 1981 


MEMORANDUM FOR THE RECORD 


FROM: ee 
Programs Developmen ranch, . 
Operations Evaluation — ISSsG 


SUBJECT: of two members 


REFERENCE : ODP 81-462, dtd 10 April 1981 
| ODP 81-566, dtd 1 May 1981 


1. On 6 May 1981, from 1315 to 1445 hours, subjects were 
provided an informal briefing of specific areas of interest in 


the Information System ity area as they relate to the 
current efforts of the o develop and implement a large 
computerized system In essence, we shared with them 


some specific security suggestions/recommendations which could be 
useful in:their efforts to develop this new system. Reference 
(attached) provides background information regarding the system 
plans,. configuration time schedules, etc. Hardware and software 
vendors were unknown at this time. 


2. Attachment Il reflects the viewgraphs used in this 
presentation. We skimmed over the Physical/Personnel security 
portion of our outline in that we discovered early on that they 
were more interested in the systems security area than in the 
physical or procedural areas (although they did take notes in 
areas of tape/disk_control, concerns in maintenance area, output 
controls, etc.). 


3. Areas of particular interest included desired hardware 
and softwere features involving selective access to system(s); 
locoine all attempts to access; memory and magnetic media 
eaniidvacion veer identification, and event log inspection. Also 
“ncluded were security testing and theft and copy protection. We 
pointed out to them that they were fortunate to be considering 
ihesce security jiesues early on in that it is much easier to 
desion-in security features (via statement of work/RFP, etc. 
than trying to retrofit after a system is "on the air". 
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4. We provided our guests with one copy of the Willis Ware 

Report (reissued 1979-unclassified) published by RAND Corp 
entitled “Security Controls for Computer Systems" and another 
paper (FREY-unclassified outlining general security requirements 
which we would like to see in computer systems processing "mult i- 
level" data). NOTE: At no time did we mention specific 
“installation unique" information (e.g., system specific password 

25x71 thresholds) which would be oe ae sensitive from a 
counterintelligence standpoint. 


5, Our remarks generated lively exchange of ideas in areas 
mentioned. Our suggestions included: 


- separation of I/O from main computer center (to 
control access) — 


- Strict tape/disk /(incl floppy) control 

- Software terminal disconnect features 

- On Line audit (by exception) 

- Use of SMF (if IBM system) for auditing 

-~ Memory clear 

~ Restricted Memory dumps 

6. At the conclusion they asked for a copy of viewgraphs 

which have since been provided them. We also volunteered our 
assistance should they need it and that they could contact us 


through established chan e only other person present 
throughout interview was 
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ADP. SYSTEMS SECURIT 


ComPUTER CENTER Access 


_ CENTER - OPEN VS: SECURE 


_- Access ContROL/BADGE SYSTEM 


- CONTROL OF MAINTENANCE PERSONNEL 
~ Tape/Disk LIBRARY & CONTROL 

- PERSONNEL STAFFING AND CHECKS 

~ [BR 3350 Fixep D1sk PROBLEM 7 


PHYSICAL SwiTcH 
Power DOWN 
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REMOTE TERMINAL OPERATION 
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Locatep IN SEcURE/UNSECURED AREAS:7 = 


TERMINALS W/BUFFER MEMORY 


SOFTWARE FEATURES To DISCONNECT —-_ 


AupiT TRAIL FOR USER MANAGEMENT 2 9 \ 0 


TERMINAL - InNpuT/OUTPUT | 
CLASSIFIED LaBLes - [/0 


USERIB/PasswoRD PROTECTION MECHANISMS 
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IV. System Security 


= MAIN MemorY OVERWRITE 
~ AUTOMATIC TERMINAL DISCONNECT 
- Lock Out TERMINAL FEATURE 
- Rote of SMF Data For AupITINe 
- ACF-2 me 


V, PERSONNEL SECURITY 
Vi,  aREAT 


- PROBLEM - Cases - HrsToRY 
- GOVERNMENT AND INDUSTRY - WHAT Does Evipence SHow? . 
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“OTHER TOPICS 


- CONTRACT EFFORTS, . 
Test METHopoLocy, 


z Aupit TRAIL EFFORTS, 0 
Contract To Stupy HSTS/AupiT- 


- AUTHENTICATION DEVELOPMENTS, 
SIGNATURE VERIFICATION 
PALM PRINTS . 
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